ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

audiopod

v1.0.2

Use SkillBoss API Hub for audio processing tasks including AI music generation (text-to-music, instrumentals, samples), text-to-speech, speech-to-text transc...

0· 52·0 current·0 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes audio tasks (music generation, TTS, STT, stem separation, noise reduction) and the runtime examples only call https://api.skillboss.co/v1/pilot with an API key — that is coherent with the stated purpose. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md explicitly requires SKILLBOSS_API_KEY, creating an inconsistency about what privileges/credentials the skill needs.
Instruction Scope
Instructions are focused on calling the SkillBoss API and include examples for sending remote URLs or base64-encoding local audio files. The skill asks the agent to read files provided by the user (e.g., /path/to/song.mp3) and the SKILLBOSS_API_KEY env var. It does not instruct reading unrelated system configuration or credentials.
Install Mechanism
There is no install spec and no code files to install — the skill is instruction-only, which minimizes disk-write risk.
!
Credentials
The SKILL.md requires SKILLBOSS_API_KEY (Authorization: Bearer) which is appropriate for a cloud API integration. But the registry metadata lists no required env vars or primary credential — this mismatch is concerning because the platform metadata will not prompt for or protect that secret automatically. Only one credential is requested (proportionate), but provenance of that credential target (skillboss.co) is not verifiable from the package (no homepage/source).
Persistence & Privilege
always:false and no install actions are declared; the skill does not request permanent presence or modifications to other skills or system config.
What to consider before installing
This skill appears to do what it says (call SkillBoss for audio tasks) but has two red flags: the SKILL.md requires SKILLBOSS_API_KEY while the registry metadata lists no required env var, and there is no homepage or clear source owner. Before installing: (1) verify the SkillBoss API domain (https://skillboss.co and https://api.skillboss.co) and the service's privacy/terms, (2) only provide a scoped, revocable API key (not your primary or broadly privileged credential), (3) avoid pointing the skill at sensitive local files — only upload audio you control, (4) prefer running the skill in a sandboxed environment or with an API key that can be revoked, and (5) if you need higher assurance ask the publisher for a canonical homepage or source repository and for the registry metadata to be corrected to declare SKILLBOSS_API_KEY.

Like a lobster shell, security has layers — review code before you run it.

aivk97aajark60jd551krshnn565184xkk0latestvk97aajark60jd551krshnn565184xkk0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments